[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Re: phpMyAdmin multi-user

Subject: Re: [cobalt-users] Re: phpMyAdmin multi-user
From: Brent Sims <bs@xxxxxxxxxxx>
Date: Thu Aug 30 16:37:09 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Thu, 30 Aug 2001, Steve Werby wrote:

} Brent and others, it's trivial in *modern* versions of phpMyAdmin to
} configure the software to only allow users to access (and view the names of)
} databases for which they have privileges.

Hi Steve,

	I'm sorry but preventing someone from viewing the database
names is not quite trivial. Not looking for a fight. Should have
kept my mouth shut as I don't have time for this kind of thing but
I just can't let this one slide by.

	I just installed phpmyadmin 2.2.0 - the latest version
according to the information on the web site. The install was down
and dirty - I simply stuffed a valid user name and password into
applicable fields in the config file and pointed a browser at it.
While it did indeed limit me to only viewing the databases for which
the user name and password I used were granted privileges to it
still provided all of the clues one needs to obtain a list of
databases. I simply cut and pasted the information displayed on one
of the phpmyadmin screens to another script which I just downloaded
from cgi-resources.com and there I was - looking at a list of the
databases hosted on our mysql server - all without shell access.
Fact is, the only problem I ran into and the most time consuming
aspect of this entire cycle was downloading the latest version of
phpmyadmin - none of the links on the site's pages worked with my
fresh IE 6.0.26 install. I had to install Netscape just to download
the blasted script...

	Worse yet, perhaps, I left our original phpmyadmin
installation in place and even though I was logged in to a
non-privileged garden variety user account, well, let's just just
say it's best to run PHP in the safe mode in a virtual hosting
environment.

	I'm not saying you don't know your business I just hate
seeing people inadvertently (I know your intentions are good
and that you are very clueful) lured into a false sense of security.
I'm not a cracker. I don't even consider myself to be a knowledgeable
system admin. I use FrontPage which, I am often told by those who
know about this stuff than I do, tells the whole world that I'm
entirely clueless... nevertheless, getting a list of database names
was indeed trivial for this clueless old fart, and from the looks of
things, unless PHP is running in the safe mode and phpmyadmin has
been configured to use advanced authentication, getting at the
databases themselves, very possibly even the root account on mysql,
wouldn't take much more effort than getting the database names did.



	Peace be with you,

	Brent Sims
	WebOkay Internet Services, LLC
	http://www.WebOkay.net
	mailto: Brent@xxxxxxxxxxx
	(719) 595-1427 (Voice/Fax)

Follow-Ups:
- Re: [cobalt-users] Re: phpMyAdmin multi-user
  - From: Steve Werby

References:
- Re: [cobalt-users] Re: phpMyAdmin multi-user
  - From: Steve Werby

Prev by Date: Re: [cobalt-users] Description please
Next by Date: Re: [cobalt-users] Administrative server on port 81 dissapeared
Previous by thread: Re: [cobalt-users] Re: phpMyAdmin multi-user
Next by thread: Re: [cobalt-users] Re: phpMyAdmin multi-user

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index